Acronis True Image 2020 reported ransomware - recovered 17/20 files

[JamOrange]

Hi all,

I plugged in my Navitel dashcam, which I had installed by our local Citroen dealer. The first time I did, everything was fine, no apparent issues whatsoever.

However, today when I plugged the dashcam into my PC (Windows10), Acronis reported potential ransomware - please see attached.

I'm run a complete scan with MalwareBytes Premium (v4.6.5) and also Mcafee Total Protection (updates daily), neither of which reported any issues and are running constantly on my PC.

Do I have a issue or is Acronis reporting a false postive?

Many thanks

JamOrange

[Maurice Naggar]

Hello. Did you notice that the lines displayed are all iconcache database files?  That they are all seemingly in 1 single specific sub-folder
%userprofile%\appdata\local\microsoft\windows\explorer\
all files listed are iconcache

One must be extra careful and not automatically assume that "actual encrypting ransomware" is what the underlying issue is.
First, you make no mention of any "ransom notes".
Second, you make no mention that you suddenly are unabled to open documents on your Documents folder.
Those 2 things being true would be some indication of a ransomware.

Have you gotten any actual on-screen displayed messages for ransom payment?
Have you looked at the current contents of your Desktop and your Documents folders for files with names similar to

_openme.txt, _open_.txt or _readme.txt

If there are no ransomm notes displayed asking for payment in crypto-currency, if you have had no lokced files / documents ( which you could not open in their native application) then it is not the case that this ia a actual "ransomware".

See the articles cited below about how to rebuild the icon cache. And before you actually do that, you want to first do a Windows Restart.

How to Rebuild Icon Cache in Windows 10 or 11
https://www.winhelponline.com/blog/how-to-rebuild-the-icon-cache-in-windows/

How to reset the icon cache database on Windows 10
https://www.windowscentral.com/how-reset-icon-cache-database-windows-10

I would recommend you recheck on the reputation, etc of the makre of that dashcam program. Double check on it.
In the same vein, check with Acronis support about the original incident.

Best wishes.
 

[JamOrange]

Hi @Maurice Naggar

Many thanks for your detailed reply. Working through your thoughts and suggestions does reassure me that this was almost certainly a false positive for ransomware. Other than knowing what I've read about the carnage/misery that ransomware causes and that it can trigger from any point in time after hitting your device, I know very little about it. My only protection is to keep my paid-up versions of Malwarebytes and McAfee always up to date, which I do. 

My PC had been shutdown overnight and has restarted fine this morning.

I did notice that all the files were iconcache and in a single directory; %userprofile%\appdata\local\microsoft\windows\explorer\ - but I didn't know if this was just the beginning or the start of the ransomware countdown.

No, again, reassuringly, I've not had any on-screen messages or "ransom notes" and I'm able open a documents/excel/pdfs in my Documents folder fine in their native apps. So, so far, thankfully, I've not come across any locked documents.

I manually checked my documents folder and desktop and also done a search across my entire PC (C: and D:) this morning looking for files with the regex expression, "^_.*.txt" and none have been found from yesterday and in total just 1 files; C:\Program Files\PDF24\lang\_readme.txt created on 30/04/23.

As you say, I need to check on the reputation of the maker of the dashcam, "Navitel DVR Player" program. Until then I'll stop using it.  

As everything appears ok from restarting my PC from overnight, including my icons, I'll read through the article links you included to rebuild the icon cache, as good to know.

I will also, as you suggest, definitely check with Acronis support about the original incident.

Thanks again.

Best Regards

JamOrange